Is it safe to assume that a person can logon to their local computer, connect to a share, walk away from their computer and authentication events can continue for days? In other words, the share that they are connected to will continue to authenticate every so often correct? I'm basically trying to explain why authentication events on a DC don't prove that someone is logging in.